Regin Virus: Did The US / NSA Build A Better Doomsday Weapon?

Hello ATS.

This one should be short, as I am pressed for time this afternoon. I was just scanning through articles when I came across a very interesting study of a virus, first discovered in the wild in 2008 that has some very, very suspicious aspects - namely who and what it attacks.

Specifically telecoms, infrastructures and businesses in mostly non-English speaking nations ( Though it does target the Irish. The UK government must love that.

News of the latest advanced malicious software threat called Regin comes with a silver lining. The good news is most people in the English-speaking world won't have to worry about it.

The bad news? Everyone else does.

Pronounced "region," the malware is a cyber-espionage tool built to steal the secrets of many foreign governments and businesses, said a report published Sunday by security specialist Symantec. Regin avoids detection with a specialized design as it ferrets out critical information. It's been used since 2008 to infiltrate email databases, monitor network traffic, steal passwords, snag screenshots and record mouse clicks.

Regin could represent a new, more advanced wave, something Symantec called "groundbreaking" and "almost peerless" in its report. Why is it so special? Who it targets, and who it doesn't.

While many of the documents leaked by National Security Agency contractor Edward Snowden last year point to espionage committed against the closest of US allies, Regin appears to have spared five English-speaking countries: The US, the United Kingdom, Australia, New Zealand and Canada. Among the countries where researchers detected infections were Germany, Russia, Saudi Arabia, Syria, Brazil, Belgium, Mexico, and India, but also Ireland -- part of the UK.

Source

As the article says, this virus is so advanced that average people do not have to worry about it because reverse engineering it would be too difficult and costly. But given what it does target - there is no real reasonable doubt of what the intention of this malware is...

To turn entire nations, or blocks of nations "off" Communications, infrastructure, banking, finance, business...

Think about it. This could effectively be as damaging to a nation as a nuclear weapon - but without the property destruction and instant loss of life. No more need for "shock and awe" and endless ground wars. With this is would feasibly possible to simply make a phone call and threaten to turn a nations clock back to the stone age with a keystroke.

No defense, no warning, no bravado. Simply shut it all down.

Imagine what a weapon like this could do to the balance of world power. And funny that - it doesn't seem to want to hurt China or the US.

Very fishy.

Thanks ATS!

If you've ever been involved in large-scale projects involving technology, you know damn well that you need to test your system before it goes into production.

If you want to shut down communication for millions of people, you can't expect it to work correctly the first time around. Remember- lots of well paid people dedicate their lives to making sure these systems will continue to function in the event of huge problems.
If a hostile takeover of a nation is your plan, you can't risk news spreading faster than bullets- and there's no way you'll get that right on your first try!

a reply to: lordcomac

Stuxnet worked.

10 minutes ago: Nuclear weapons. 5 minutes ago: EMPs Now: shutting countries down with a computer virus.

I like EMPs better, this stuff is too Skynetty for me. Given the state of the US gov and how they hate their own people I can imagine they have something similar in place to shut the US down too.

a reply to: Hefficide

Interesting, thanks for sharing. I'm sure it works great and is probably constantly auto-updating with new hacks and hacks to work around patched holes.

FWIW, an official release was made on this yesterday by US-CERT via information gathered by Symantec detailing what's known about this, as well as MD5 Hashes that are known to help identify it at this time:

Systems Affected: Microsoft Windows NT, 2000, XP, Vista, and 7
Overview:
On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States. Description Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan. Impact Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets.

Solution: Users and administrators are recommended to take the following preventive measures to protect their computer networks:
Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2 (link is external)]
Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.
MD5s:
Stage 1 files,
32 bit: 06665b96e293b23acc80451abb413e50 187044596bc1328efa0ed636d8aa4a5c 1c024e599ac055312a4ab75b3950040a 2c8b9d2885543d7ade3cae98225e263b 4b6b86c7fec1c574706cecedf44abded 6662c390b2bbbd291ec7987388fc75d7 b269894f434657db2b15949641a67532 b29ca4f22ae7b7b25f79c1d4a421139d b505d65721bb2453d5039a389113b566 26297dc3cd0b688de3b846983c5385e5 ba7bb65634ce1e30c1e5415be3d1db1d bfbe8c3ee78750c3a520480700e440f8 d240f06e98c8d3e647cbf4d442d79475 ffb0b9b5b610191051a7bdf0806e1e47

Unusual stage 1 files apparently compiled from various public source codes merged with malicious code: 01c2f321b6bfdb9473c079b0797567ba 47d0e8f9d7a6429920329207a32ecc2e 744c07e886497f7b68f6f7fe57b7ab54 db405ad775ac887a337b02ea8b07fddc
Stage 1, 64-bit system infection: bddf5afbea2d0eed77f2ad4e9a4f044d c053a0a3f1edcbbfc9b51bc640e808ce e63422e458afdfe111bd0b87c1e9772c
Stage 2, 32 bit: 18d4898d82fcb290dfed2a9f70d66833 b9e4f9d32ce59e7c4daf6b237c330e25
Stage 2, 64 bit: d446b1ed24dad48311f287f3c65aeb80
Stage 3, 32 bit: 8486ec3112e322f9f468bdea3005d7b5 da03648948475b2d0e3e2345d7a9bbbb
Stage 4, 32 bit: 1e4076caa08e41a5befc52efd74819ea 68297fde98e9c0c29cecc0ebf38bde95 6cf5dc32e1f6959e7354e85101ec219a 885dcd517faf9fac655b8da66315462d a1d727340158ec0af81a845abd3963c1
Stage 4, 64 bit: de3547375fbf5f4cb4b14d53f413c503

Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk.

Hashes are provided for research purposes only.
Registry branches used to store malware stages 2 and 3:
\REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList
\REGISTRY\Machine\System\CurrentControlSet\Control\Class\[39399744-44FC-AD65-474B-E4DDF-8C7FB97]
\REGISTRY\Machine\System\CurrentControlSet\Control\Class\[3F90B1B4-58E2-251E-6FFE-4D38C5631A04]
\REGISTRY\Machine\System\CurrentControlSet\Control\Class\[4F20E605-9452-4787-B793-D0204917CA58]
\REGISTRY\Machine\System\CurrentControlSet\Control\Class\[9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58]

IP IOCs :
61.67.114.73
202.71.144.113
203.199.89.80
194.183.237.145

November 25, 2014: Initial Release

Here's a direct link to the United States Computer Emergency Readiness Team's(US-CERT) writeup: Linkage

a reply to: lordcomac

Don't know about that, this is a highly adaptive and tailor made threat. Meaning it's designed to work it's first time; it's curtailed to breech it's specific targets countermeasures. As you can see in the article, even knowing the hashes is kind of a moot point since most of the files don't even show up in a standard filesystem.

a reply to: parad0x122
Thanks for the info and I checked for the GUID in my windows registry and its clear.

Windows started life as a simple file server platform based on Dos (Disk operating system) and has evolved into a bloated virus platform environment that just keeps growing in size so that Bill and his team can hide yet more backdoors via updates that turn themselves back on if you don't kill the service. Forgot it's name because it's mixed up with about another 150 services and god knows how many hidden processes that hide in Dll's to be hosted by Task-Host or Service-Host which are all used to hide what MS is doing.

China is developing its own O/S and if they release an English version and it's small then I will take the jump because we cannot continue with Microsoft who now seems to have trouble just copying files from A to B

I say this because I deleted a file, copied a new one over with the same name and windows reverted back to the old file and no I did not make a mistake and when you right-click a file you have to do it a second time just to get the right popup options.

The wheels are falling off the bus, look for another form of transport

a reply to: parad0x122

As you can see in the article, even knowing the hashes is kind of a moot point since most of the files don't even show up in a standard filesystem.

NTFS is a file system that has been taken to the extreme with permissions, owners, effective owners, hidden folders, super hidden folders, jump links, shortcuts and even locks on files even when nothing according to windows is accessing the file of folder and if you watched what windows file manager does on a web-dav server then you would see it's all about spying and that MS does not know anything about client/server design unless it involves trying to sell you another windows licence.

trusting MS to encrypt your file system is silly and windows have spent a lot of time locking programs like True-Crypt out of win-8 because they cannot bear the NSA being in a position where they cannot read your files.

a reply to: VirusGuard

Amen to that, R.I.P. truecrypt, it was such a solid disk-based encryption solution Did you check out the quasi-replacement made by some of the same developer? It's called VeraCrypt. It's pretty solid.

a reply to: VirusGuard

Oh also, do you happen to know what China will be calling this OS? I love toying with new OS's, and it's been awhile since we've seen anything other than a port-over of one of the main Linux OS's or a re-skinned version of Windows.

a reply to: parad0x122

China already has a mobile O/S called COS - and Ubuntu Kylin is the official O/S of the Government. From what I can find online it appears that China is probably adapting the Linux kernel - or Kylin itself - to include a lot more security, particularly in the way of making sure the O/S cannot be used to undermine the Great Firewall.

a reply to: Hefficide

I read the Kaspersky analysis last week and, yes, it's got all the signs of being a high-end code directly from US/UK sources. There's an apparent focus on interests that fall outside of the Five Eyes umbrella.

The absence of China could be for several reasons. Too small a sample size to tell and plausible deniability are the first that spring to mind.

As it stands, the virus could have been delivered by the Chinese and the 'Five Eyes' are absent to suggest it's US-based. Hard to say and none of the security brains seem to have reached any conclusions one way or another. I also read a CIA analysis in 2011 that undermines any notion of the US and China working together.

One thing is for sure and that's the fact that it's a jungle out there! Spy Vs Spy and no trust between allies or vested interestes. Paranoia is a king who sleeps with both eyes open. Scary stuff.

a reply to: Hefficide

Interesting, sounds kind of like that linux build for pen. testing, I think it was called BackTrack? Thanks for the info!

a reply to: parad0x122
Backtrack is still available but is now called Kali.